Active Directory management & automation

Grant Rights to Create Users

In order to grant permissions to create users in Active directory, you need to create a Security Role, specify necessary permissions, and assign this Role to users or groups who will be allowed to create users. Then you need to specify where these users or groups are allowed to exercise permissions granted by this Role.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard

2Enter the name for the new Role, and click Next.

3Here you need to specify permissions the new Role will grant. Clicking the Add button will display the Add Permissions dialog.

Create Security Role - Step 2

4In the Operations on child objects section, check the Create Child Objects permission in the Allow column.

Add Permission

5Now we need to specify what types of child objects the Role will allow creating. Click Select object types and select User as shown in the figure below. Click OK.

Select child object types

When you select child object types, you specify what types of objects the Security Role will affect.

Optionally, add the Read permission

It is reasonable to specify the Read - All object types permission for every Security Role, as this permission allows browsing Active Directory. By default, this permission is granted by the Domain Users built-in Role, however, if that Role is disabled, users will not be able to view any objects in Active Directory.

In the Add Permissions dialog, select the Read permission in the Allow column of the General permissions section. Click OK.

Specify additional permissions

6In the Role Permissions window you should see the permissions you have just specified. Click Next.

Specified permissions

7Here, at the Assign Role page, specify users or groups to which you want to assign the new Role. To quickly find a user or group, type its name in the search field. Click Search button Search and select the user or group you need in the search results.

Role assignments

8Clicking the Assign button will display the Role Activity Scope dialog. Here you need to select the location, where the selected user or group will be able to create users.

You can select one of the following items:

  • All Objects - select if you want to allow the selected users or groups to create users in any AD domain managed by the Adaxes service.

  • Specific Domain - select a specific AD domain if you want to allow the selected users or groups to create users in any location of the AD domain you specify. When selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that users or groups specified at the previous step will be able to apply permissions of the new Role anywhere in the selected domain.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific organizational unit or container if you want to allow the specified users or groups to create users in the selected OU or container. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow creating users in the selected organization unit only and not under its child OUs or containers, click This Organizational-Unit object.

    To allow creating users under the selected OU and all of its child OUs and containers at any nesting level, click Child objects of this Organizational-Unit.

    To allow creating users only under the direct children of the selected OU, check also Immediate child objects only.

    Assignment Options for an OU or Container

Select the object you need and click Add. When finished, click OK.

9When specified, your assignment will be displayed in the Assignments list. Click Finish.


Security Roles enable central permission management. It means that you can modify permissions of users performing the same role at once. For example, when you add a new permission to a Security Role, this permission is granted to all users and groups the Role is assigned to.
? Waiting

Progress status: Checking...